Site icon Easy Prey Podcast

Fraud: Not Going Away with Steve Lenderman

Easy Prey
“A synthetic identity is something you should be scared about and how it will impact the present and the future.” - Steve Lenderman Share on X

Synthetic IDs can be used to open fake accounts, but without a person to file the fraud claim, how should companies deal with this type of deceit? There is no crime where someone doesn’t need to pay for the loss. Either way, the loss is passed on to the consumers in some way or another. 

Today’s guest is Steve Lenderman. Steve is currently the Head of Fraud Solutions North America at Quantexa and has over 25 years of experience in financial crimes investigation. His previous roles include being the Senior Vice President of Fraud Prevention Investigations at Bank Mobile Technology, the Director of Strategic Fraud Prevention at ADP, and the Fraud Operations Lead for PayPal Business Loans. He is a certified fraud examiner and actively contributes to the anti-fraud community.

“Most synthetic identities are built around a financial aspect of your data.” - Steve Lenderman Share on X

Show Notes:

“Synthetic identities are integrated into all types of fraud. It is across the entire spectrum and considered a hybrid fraud.” - Steve Lenderman Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Steve. Thank you so much for coming on the Easy Prey Podcast today.

My pleasure. Looking forward to it.

Can you give the audience a little bit of background about who you are and what you do?

I'm Steve Lenderman. I'm a certified fraud examiner. I work for a company called Quantexa now—Head of Fraud Solutions for North America. Prior to Quantexa, 25 years in the financial fraud sector, fintech space, large payroll, large peer-to-peers.

I'm born and raised in Wilmington, Delaware, what I call the credit card capital of the world. I cut my teeth in the credit card industry for the first 15 years or so of my career.

I graduated from the University of Delaware. I've been working in the fraud space, mostly in the synthetic fraud space for the last 15–20 years. I'm considered an industry expert on synthetic identity. Let's keep current all the current fraud trends that are out there, emerging trends, etc. I think fraud is fun; go figure that.

What got you interested in this space? You got your accounting degree and someone just said, “Hey, we need your help,” or was this a plan?

I guess it was a plan. Through the course of college, I wanted to be in law enforcement. I ended up looking to be a state trooper for a while. I quickly realized that the first few years of my career as a state trooper, I would be stationed in a barracks that was pretty far away. I worked every night and weekends.

To put it nicely, I opted to take a little left-hand turn and got into the banking. As I mentioned, Wilmington, Delaware is the credit card capital of the world, so I could literally have probably gotten a job anywhere in the banking sector. I ended up in a few places and just stumbled into it from there.

My younger brother always joked with me—he called me the credit card cop. I got sucked into credit card fraud, and that sucked me into all this other fun stuff. Here we are 25 years later, still in the fraud business. I wouldn't look back on it in any way, shape, or form. It's been a great career.

One thing I'm trying to do now is get more people involved in a career path that involves going to university, college, they have to go to law enforcement. There are plenty of jobs in cybersecurity that are out there, plenty of jobs in fraud space, financial crimes, AML, human trafficking. There are all these career opportunities in and around fraud.

What I've been doing recently is trying to work with recent graduates and thinking about getting into fraud. I always say there are two things that are never going away: fraud or funerals. Neither one of those two things are going away. Great career path, and it's a lot of fun.

Let's talk about that a little bit before we jump into synthetic identities and whatnot. If someone wants to get into the counter-fraud space, what background should they be looking to build up?

Clearly, I think a diploma is—I’m not going to say a requirement, but it is highly recommended. A degree in criminal justice is always a background there. Anything in mathematics, anything analytical, I think would be helpful.

Obviously, you could work in a cybercrime degree or cyber security degree. Although, I would think that's probably a little bit of a different career path, but fraud, cyber and fraud are intermingled; there's a different pathway there. Right now, I think there's certainly a career opportunity from that perspective.

Like anything, it's mostly street knowledge, webinars, conferences, professional associations, lots of reading, YouTube videos, etc. There are lots of ways to learn about fraud.

I'll be honest, my degree is in criminal justice. Would I do it again? Absolutely. This may be a terrible thing to say, but how much of my degree have I used in my day-to-day work in the last 20 years as far as fighting fraud? The answer is: honestly, very, very little.

Most of the fraud stuff that we learned is you learn from being involved in it and immersed in it. Understanding the fraud patterns, the trends, and just going there. That isn't really teachable in a university setting. -Steve… Share on X

Most of the fraud stuff that we learned is you learn from being involved in it and immersed in it. Understanding the fraud patterns, the trends, and just going there. That isn't really teachable in a university setting. It's not that it can't be done, but it's very difficult to do that. The foundation has to be set. A diploma would be, I think, very, very helpful.

Professional associations, like I mentioned earlier, go out and get a certification. These are the ACFE, the IAFCI. There's the ACAMS certification. These are all certifications that touch on our own fraud, which are really more connected to the foundations of fraud, how they're committed, why they're committed. Those, I think, really helped you advance your career.

One thing that I didn't do early enough was obtain some certifications. I thought I knew it all. That's something I do know. Those certifications certainly helped advance my career as well, so worthwhile.

Got you. Let's talk for the audience. What is a synthetic identity?

Synthetic identity is something that you really should be scared about. How it's an impact in the past, present, and future here gets really interesting. We all think of ourselves, we have our own identities. People will say, “You have your identity, your identity stolen.”

What is your identity? For some, you have your physical identity. That's your eye color, your hair color, your height, your weight, shoe size, and things of that nature. These are all physical attributes that we convert into a data set. You look at your driver's license, it tells you those pieces of data, and that's your data. That identifies you.

Outside of your physical attributes, you have lots of other identifying features that are out there. Most of these synthetic identities are built around a financial aspect of your data.

I think COVID accelerated this quite dramatically, but days of going into branches and walking into a bank are almost over. Even working in the big credit card banks, like we worked on before, when you obtain your Citibank card or Bank of America—pick your credit card—you don't typically go into a branch. You applied online, or applied over the phone, or you applied on a piece of paper, God forbid, way back when, mailed it in.

For those of us who are even a little more mature, you apply when you're on university campus. Somebody suckered you for a credit card, and you got a blanket or a hoodie at an 85% interest rate. That kind of fun stuff. But it goes back to this idea that you're building a financial identity. That's what synthetics have really come around to be. It's this concept of using bits and pieces of financial data.

For us, it's obviously our name. It's obviously a date of birth. It's our Social Security number, which was never intended to be a financial identifier, but we've turned it into one. The SSA can't stand us for that one, but all the banks use it.

Other identifiers as well as your credit score. It's identifiers as addresses, but we can get really deep into additional identifiers. This is your device information, your fingerprint, your age and […]. You get into 800 different characteristics there.

The concept is this: You're going to essentially create a financial identity out of vaporware, because when you apply to the big banks, you're applying digitally and also getting fewer pieces of data. When you call a call center, they talk into you. They're still looking at all your data on the screen. Everything about you is a piece of data set that identifies you.

Synthetic identities manipulate those data sets, and I can create this identity from thin air. I can create a John Doe, I can create a John Doe date of birth, a John Doe Social Security number, a John Doe identifier. I can create a new device information. I can do all these things.

I basically create this identity financially to use in the financial sector. A synthetic identity in the past was really around, just again, financials. It's morphed into other nefarious things, which we probably won't get too far into. It was really the onset they have created to basically clean credit, repair credit, and commit fraud. That's where they came about.

The big problem for us is that these identifiers are easily created, easily manipulated. It's a victimless crime because if I steal your identity, Chris, eventually you're going to know. You're going to credit, your bureau hits. You're going to get freeze alerts, get collection notices, etc. You would say, “Chris Parker is a victim. I stole your identity. I used it nefariously.” But if I make up a completely unique identity that doesn't exist to anybody, there's no real victim there.

The victim is the bank. Don't get me wrong. The bank is going to be held with a loss, but there's no actual person who's there because the person is a ghost. There's nobody there to complain. There's nobody to collect on. These synthetic identities end up being charged off in collections, and they get written off and go from there.

That's just the synthetic came about, how it works at a very, very high level, and where they're going. I want to dive deeper into my stuff in a minute, but I'm sure you had another question for me.

I guess it's the question of, OK, it's not a consumer victim crime necessarily, it's a business crime. Why should consumers be afraid of it?

Because when the banks take the loss, we know what happens. When any corporate entity takes a loss, that loss is passed on to the consumer. They're never going to eat that as a loss to them. They're going to share that with their entire customer base. There are just things out there that aren't synthetic identity. Some of these numbers are just astronomical.

Because it's underreported, like all fraud in general, now we have a situation where, again, we really didn't know it's fraud because there's nobody reporting that it's fraud. You have to go out and identify it. There isn't someone to say, “Yeah, that was my identity.” It's very difficult to put actual numbers around this.

I will tell you, some initial reports we've been looking at and working with these banks in the past, anywhere between 10% to 20% of their charge-off losses are probably synthetic identity.

If you look at just the bank's charge-off and take 10% of that, that's just the synthetic identity part of the fraud. That doesn't include all the other fraud they're writing on too. You take these different elements of fraud, add them all up, and then you and I are paying for it.

You take these different elements of fraud, add them all up, and then you and I are paying for it. We're paying for it in interest rate charges. We’re paying for it in service fees. We’re paying for it in lots of different ways.… Share on X

We're paying for it in interest rate charges. We’re paying for it in service fees. We’re paying for it in lots of different ways. That's why the average consumer should be really concerned about synthetic identities from a financial perspective, because it is costing you in your pocket for sure.

Without a consumer victim reporting, “Hey, my identity was stolen,” do the banks have any incentive in reporting it to anyone? If I were a bank and it wasn't a consumer that was defrauded, I don't want to tell people.

That's been part of the problem around synthetics as well. It's a hybrid fraud. It grows and manifests from a credit perspective. Synthetic identity would apply for a credit card, for example, and get this credit card. Then they would use the credit card to make purchases, etc.

Now, depending on the style of the fraud, whether it's a short game where they just use it, spend it, and then walk away and leave it there for the bank with $5000–$10,000 in losses. Or whether it's a longterm play where they, over the course of six, six, seven months, maybe two years, whatever it is, or move money, moving around, and they basically increase their credit limits, etc., and then you have a huge amount of money that could be left there hanging.

The hybrid part of the synthetic is this: When it goes bad, it goes bad, typically into the credit space. Is it reported? Yes and no. It’s reported from a collections perspective, but it's not really going into any other fraud reporting.

What is happening from a reporting perspective is you're seeing that charge-off go against the credit bureau. The synthetic identity would, just like we all have a credit bureau, they have credit bureaus too. The identity would charge-off just like a bad debtor would charge off with a low FICO Score, a low VantageScore, which wouldn't be used. Obviously, once your credit score goes in the 500s or 400s, you're not getting credit cards anymore. You pretty much burn the identity.

One of the biggest challenges we had in the early 2000s around closing synthetic identity is accounts. We knew it was synthetic, but we couldn't close it down because we had no victim. We had nobody claiming it was fraud. -Steve… Share on X

There is some reporting around that perspective. But again, the issue comes down to, as you mentioned, there's “no consumer victim.” It's very difficult. One of the biggest challenges we had in the early 2000s around closing synthetic identity is accounts. We knew it was synthetic, but we couldn't close it down because we had no victim. We had nobody claiming it was fraud.

We had, obviously, regulatory controls. We had privacy and legal controls around things. We identify these accounts, and there really was no other way to identify them. You said you had to make up a status, because there are fraud typologies that are established through the banking sectors. It's identity theft, it's counterfeit card, it's card not present, or whatever it might be.

Synthetic identity still isn't really considered a fraud typology in most banks. They leave it as a credit loss. It really is going to be a credit loss, but I'm a fraud act. Opening an account nefariously to steal funds is fraud. But without a fraud claim, they get treated as credit. It's a catch-22.

There's a weird compliance nuance to it. We know it's fraud. We can't report it as fraud because the identity didn't report it as fraud, so we can't manage it. It's a little circular.

It's really circular. It's so circular that there's a magic form that we all have to fill out from a banking perspective. I'm not allowed to legally say what it is, but on that form, all banks are required to use certain types of fraud over a certain dollar amount; synthetic identity is not on that form. Every other fraud you can think of, from insurance space to banking, to gambling, to human trafficking, to antiterrorism, but synthetic identity is not on that form.

Synthetic identities tie into all of those types of fraud that are out there. Synthetic identity is not just a financial problem, it is an immigration problem, it is a human-trafficking problem, it is a credit problem, it is a political problem. It is across the entire spectrum, but let's try to bring it back down, maybe focus on the financial side of things.

It’s really interesting. It's a hybrid fraud. Banks are much better at it these days, but this is a 20-year problem. This is not a new problem. First when I worked in synthetics, I worked at credit cards, and that would have been in 1997–1998 before I started our first synthetics. No one knew what the hell they were. Like, “What is this? This doesn't make any sense.”

Finally, the banks got together about three or four years later, started some consortiums, and started talking about it. One thing the banks would do really well is that banks will collaborate when it comes to fraud. It's a non-competitive environment. We started talking with each other, like, “What are you guys seeing? What are you seeing? What are you seeing?” Start bringing the credit bureaus in and things like that.

We eventually formed a working group that I co-chair right now called the Bust Out Synthetic Identity working group—BOSI—that has been working in synthetics for almost 20 years now. It's an interesting space just because the banks don't know what to do with it quite yet. It's now permeated into the insurance spaces, permeated into healthcare.

You have these identities that are financially really, really good and have been aged and seasoned to look like real people. How you're taking them to industries that don't have a clue what they are in the first place—it’s a wonderland for them. It's euphoria. They've opened Pandora's box in other industries.

I was thinking back to name your favorite crime show. If it's a, “Oh, we're going to create a backstopped identity for this investigator when they go undercover and blah-blah-blah-blah.” The thing that I wonder is when you were talking about aged identities is, how are you starting to see identities that have been aged 10–20 years now that's like, “Oh, it's long enough that this person really could be an adult”?

A couple of things will come into play there. Yes, this has been going on for, as I mentioned, 20 years or so. You do have identities that were created 15, 16, 17 years ago that are still being used. A case in point, I own three synthetic identities that I use for research purposes. They serve as operational security for me when I'm doing different research.

One of the best ways, I guess, to learn about fraud, I hate to say it is not to commit fraud, but to understand how the fraud itself works. Back in the early 2000s, I decided, “Hey, this is synthetic.” It intrigues me, so I created one. That one turned into another. I essentially have an entire synthetic family.

I have a husband and wife both in their mid-40s. Three years ago, I spawned a synthetic child who is now 15 years of age. It's been fun to see how that's there. People always ask me, “Why did you create a child?” This one is a complaint, which is nice. It doesn't cost me anything. That's a plus.

One of the tricks people always said was, “Well, synthetic identities, when you want to define them or try to catch them, they typically don't have families,” which would be nice for some of us. Sometimes we don't want our families either, but synthetic identities typically are individual things. They're connected from a network-graphing perspective. There's what we call it controlling mind with minds that manage thousands of synthetic identities, but they're not creating families or just creating identities, one-offs, bang, bang, bang, bang, bang.

If you pulled up a synthetic identity, like a LexisNexis, TLO clear, or some data sort, you would see, “Wait, this person has no relatives at all. How'd this happen?” Good science synthetic. I decided, let's create a synthetic identity child and see what happens. It's been successful so far. I'm interested to see if I send him to college or not in the next few years.

It would be interesting to see. Hypothetically thinking, do I apply for student loans with this synthetic identity child and take proceeds of those funds? We used to go to college on campus. Now, college can be completely hybrid or completely virtual. I can send a synthetic identity to a college, obtain financial assistance, take the classes, graduate, even go work remotely, and complete synthetic. Obviously there's something behind doing all that, don't get me wrong, but that's where we're actually headed in that perspective. It gets really, really interesting.

A virtual identity, going to a virtual college, and getting a virtual job.

I will tell you this. My two synthetics that I manage, the husband and wife both have full-time jobs. They receive payroll through a payroll company. We pay taxes. I always pay the government. I don't always take out the government. You pay and they don't see in their mind as much, just take it out, so I always pay them.

We go about life like they're a normal family. It does take work for me, but technology has been really helpful the last couple of years. I can just set up social media posts. I can do different things. I can buy things on Amazon. Who doesn't have an Amazon Prime account? You can buy synthetics at Amazon Prime. It's been interesting to see how that all plays out from that perspective, and it's gotten really easy to do. I need to say it. That's what scares me now, really easy to do.

From entities that are creating the synthetic IDs, are you seeing more of it being criminal organizations, independent people? It's like one organization that's creating tens of thousands, or is it tens of thousands of people creating one or two?

We've seen a significant change in the threat actors with synthetic identity. Again, in the early 2000s, it was typically a couple of people managing a few identities—maybe 10, 15, 20. If you've got somebody with a 50, they were really, really good at this. It was a lot of work. It is a lot of work to create a synthetic identity the old-fashioned way like we used to do it. It took me several months to create synthetic identities and get them up and running.

You get into a little more gang-related activities. People understood when this was out, and the trade secrets were now being shared on the dark, deep web. Now, different groups are working on these things. You started seeing some trends in organized crime, particularly the Eastern bloc. Nothing government-related, it was just the usual hackers and that crew.

I would say the last two or three years, we've seen a significant change in the threat landscape going to large-scale synthetic identities—40,000 or so synthetic identities that have been created by a particular nation state.… Share on X

I would say the last two or three years, we've seen a significant change in the threat landscape going to large-scale synthetic identities—40,000 or so synthetic identities that have been created by a particular nation state. They're creating these identities more likely for some financial gain, because then they could use those to fund the government programs. They're also using them for political influence to put it nicely.

We've seen actual nation states now getting involved in creating synthetics in their target environments, but even on their own homelands. It really progressed the complexity from one or two people managing 10, 15, to 20, to a larger group, organized individuals who work globally to create maybe a couple of hundred, if not thousands, to seeing these nation states that were fully invested into creating synthetic identities.

To put in perspective, I mentioned when I created my first synthetic, it took me a few weeks, if not months, to do that. Last month, using a particular LLM out there, I created a synthetic identity in seven minutes. That's the scary part. Any idiot can do it now. I mentioned you had to go on the dark and deep web before to find the trade secrets and be able to figure it out. Now it's on Telegram, it's on Reddit, it's on Instagram. It's everywhere.

When I do these presentations, I always tell people, “Take out your phone, go on Instagram, and type in ‘credit repair.’” Every one of those people selling you credit repair is selling you a synthetic identity. Credit repair and a CPN is illegal. It is a synthetic identity and it is fraud. People who get involved in these things, you'll see, hundreds of them are selling CPNs, which is a consumer protection number. That's a version of a synthetic identity. Consumers, beware, please.

They just rebrand it.

Yes, they rebrand it. Yup, for sure.

How is the financial industry responding to this upscaling and explosion of synthetic identities? It's been 10%, and it takes months or years to build an identity. If it becomes minutes, that 10% suddenly becomes a larger number. Are there easy ways to identify some patterns in identifying synthetic IDs, or is it a significantly more complex issue?

It's more complex. Like I mentioned, synthetics are all built around data. What's the one thing? Technology has gotten really good in the last three years. Generative AI, LLM is data and big data management. The larger banks are very well-positioned because they love data. They have data scientists, they have data architecture teams, and they have lots and lots of data.

They're prepared to look at this in synthetics now, because they are interconnected by a much larger network. They show up in just typical spider charts you see, or you can see the networks of these synthetics here and there. The big banks are very well-protected. There are lots of vendors out there who provide some services that are very good as well.

What concerns me is when you put your fingers in the hole of the levy, it finds another way out. The path of least resistance right now isn't really with a midsize and tier one banks because they're well-protected. It's the small to medium regional banks that are really in trouble.

The credit unions don't have the resources, and they are expanding their customer market outside of their little geographic area now. They're taking customers and they're getting exposed. Fintechs, these are, again, the branchless banks that are out there. We'll leave them nameless, but they are a feeding frenzy of synthetics in the fintech space from a financial perspective.

I did mention earlier, it gets even crazier. Now the bad guys have figured out, “Wait, I can use these synthetics in other industries to also gain funds.” An example I'll give you is the insurance industry. You're like, “Wait, insurance fraud has always been a problem,” but insurance fraud is usually people being deceitful or overestimating about insurance or an injury. There are inclusive doctors, these are all people.

Imagine synthetic identity getting auto insurance, staging a fake accident with synthetic identities as passengers, and states New York have an auto pay no matter the dollar amount. Now you start committing insurance fraud by submitting fake claims, but it gets better. You can get life insurance on synthetic identity.

My male husband has a $3 million life insurance policy. I'm not sure what I'm going to do with that quite yet. Maybe it's my retirement plan. Who knows? Just kidding. It was with the top carrier. Now I have a synthetic identity who I can kill off at any point in time and use fake doctor information, fake death certificate, whatever it might be. Now I can walk away with a million-dollar, $2 million, $3 million payout.

That gets us figured out. Wait a second, the banks, there's money there, but there's more money and less friction in insurance, healthcare, buy now, pay later, immigration, human trafficking, scamming, money muling. It's so much easier to do with synthetics than it is with real people. That's the shift that really scares me.

I see small businesses would very likely be targets for synthetic IDs, because if I'm running a small company and someone says, “Hey, I want to buy a thousand widgets from you.” “OK.” “I want to buy them on 30-day net terms.” “OK, well, here's my synthetic history of my business.” I get the thousand widgets. I don't pay you, and I sell them all on eBay.

It's a great segue. I've been talking about synthetic identity most of this conversation, which is about the individual. I've been calling it synthetic entities. These are businesses that are essentially fake. Some would say, “Well, that's no different than a shell company.” I'm like, “Well, they're a little different.” My opinion this way, and I've been breaking this down for the last few years.

Even right before COVID hit, I almost knew something was going to happen, but you have a shell company, which is, again, a legitimate business that's been incorporated. Those are used to make the business look older. Age the business so they get more liquidity. They can get better rates, insurance, etc.

You have the shell company, which was made famous by the cartels for laundering money. Shell companies are typically used for tax evasion, tax aversion, and straight out laundering of illicit funds. The concept of a synthetic entity is the business itself, as you mentioned in your example, was created specifically to commit the fraud itself. Not to launder it, but to commit the fraud itself. Synthetic entities exploded around PPP fraud.

When it was easy to create a business, you incorporate yourself. It looks legitimate because you've gone through getting an EIN number, you get your state registration, you do all these things that you do. Your officers—guess what?—are synthetic identities as well. Everything is fake about it. Like I said, you qualify for PPP, you go to a lender, and you get a business loan.

This is what really scares me about the synthetic entity space. It's easier to do, and the exposure is between five to 10 times higher. Consumer line versus commercial line. Synthetic identity credit card, and they get a $5000–$10,000 credit line. But if I have a synthetic entity and I got a credit card, it's a $50,000 credit line. The bad guys now go, “Wait a second, it's easier and I can make a ton more money? Why am I playing in this space? Let's go over here.” And they are.

It makes me wonder: Are people out there creating synthetic identities so as to not risk themselves and trying to start up a business? “Hey, I have this legitimate business idea, but it's risky. Let me start it up as a synthetic business, so to speak, with synthetic IDs, run it. If it's successful, I'll figure out how to get it back in my name. But if it's not successful, it doesn't hurt me individually because it didn't really exist.”

Yeah. Again, that's another great point. It ties into another shift that we're seeing in the fraud space in general around first-party fraud. You're using your information to commit fraud, and on purpose. You're defrauding yourself, essentially. That's a really interesting concept you're thinking there.

I haven't really thought of that before. Why would I risk my name and my credit? Even though you do an LLC, you can get away from that. People do a lot of what they call phoenixing. It is creating a new business under something else. Take a restaurant business; it's famous for that. That was the ABC Pizza Store; now, it's XYZ Pizza Store. It's the same people. Everything's the same except it's rebranded. That's a really interesting thought. I may have to try that one.

Your synthetic family is going to start a synthetic business now.

We do.

Where do you see this issue going into the future? Is the counter-fraud space, the counter-fraud activists moving fast enough to stay on top of it?

Again, I think technology has really helped us. Generative AI is really going to help us look at this bad system data. We can go back, look at that collections data that's got defaults in it. Before, it was a very manual process, you had to have a data scientist who would write code back and forth. Now, you can just literally throw it against one of the LLMs, and it'll find discrepancies pretty easily there.

Where it's going for me, again, I mentioned is the ease of use and its scalability, which really concerns me. We're going to take again a synthetic identity, which is just data pieces right now. They don't have voices. They don't have faces. They don't have physical attributes, but they do now.

The next phase we're getting into is deep fakes. Everybody's talking about deep fakes is a buzzword, blah-blah-blah. Now you can create a deep fake to match for your identity. When I want to do a liveliness check that a fraud prevention company would say, “Look, give me a selfie. Let's go on camera and prove to me who you say you are.” “OK, I'll just use my deep fake.” It's, again, relatively easy to do.

There are plenty of open source providers that are out there. You don't have to go to the dark, deep web to get worm GPT, or to get a bad GPT version. I think the government and the industry are trying too. Anything that's a deep fake created, organically, I guess is going to have a watermark stamp on it, blah-blah-blah, which is great—don’t get me wrong—but how long will it be before the bad guys just counterfeit the watermark?

It's not like the bad guys are using these services to create a deep fake. They're using other services that are actually much more robust, that are not regulated, and have the ability to feed off more data than we do from the good side of things.

Synthetics is going to now have a face. It's not going to have a voice. It's going to continue to, I think, evolve into the next phase of things, which could be something as interesting as avatar banking.

Now, you're going in through a SIM. Capital One has one right now. You walk into a virtual bank, and you can transact with a virtual teller. Now think about this: I just created my avatar, my synthetic, and I'm completely doing this in the virtual world. There's nothing there physically. It could get really interesting really quickly.

Amazing. As we wrap up here, what would your advice be to consumers, small businesses, and the finance industry?

We'll start with consumers first. I always say this: A lot of synthetic identities are spawned off of different versions of identities, typically children's Social Security numbers, or elderly, or deceased. If you're a parent, you have a child under 18, and I heard this before, but please freeze their credit. It's a no-brainer, doesn't cost you anything.

If you have parents that are aging, look at my parents in their late 70s or 80s, they don't need the credit anymore. The houses are paid for. They'll freeze their credit because they usually have a good credit score, and lots of exposure out there to be used. Those are two things that I would certainly recommend, not just your children, but think about your parents as well.

From the small business side, this is what gets really scary for small businesses because they're not protected by Reg E or Reg Z, which protect the consumer from fraud. When a business has a fraud issue, the business typically has to eat it. These small businesses don't have the pockets to withstand some of these losses that are out there.

If it's too good to be true, like you said, I guess brand new, who wants to buy 10,000 widgets and they want to pay 30 days? Slow down, do your homework, look and see if what you're dealing with is what you really think you're dealing with.

In the past, if all controls were, “Are you saying you are what you really say you are?” Now, I tell a lot of it to people. The first question you should ask yourself, “Is this thing even real?” Let's get that, and then we'll find out if they say they are who they say they are. Let's determine, is this thing even real for us? Small businesses should do the same thing.

The banking side, I mentioned the tier ones and mid-levels are pretty well-protected from a data perspective. They have the resources financially, technology-wise, vendor-wise, etc. They've been attacked for the last 15–20 years, so they have defenses. The credit unions, fintechs, and SMVs are exposed. They're basically naked with no sunscreen. They're going to get burnt. They don't have the resources. One or two synthetic losses to them could put them out of business, legitimately.

That's my advice for those who belong to the consortium. If anybody is interested in belonging to the working group, you can reach out to me on LinkedIn. Happy to join. It's free, and we’ve got to share the information about what's good and bad. I have to do that for you guys.

That's where we should wrap things up as far as giving advice to those guys. I do have one more piece of advice. Sometimes we call it hopes and prayers, because sometimes it's not a matter of if, it's really when.

Steve, thank you so much for coming on the podcast today.

Awesome. It was a great time. Great conversation. Really appreciate it.

 

Exit mobile version